Network Attack Visualization

1
Network Attack Visualization

• Greg Conti
• www.cc.gatech.edu/conti

2
Disclaimer

• The views expressed in this presentation are
  those of the author and do not reflect the
  official policy or position of the United States
  Military Academy, the Department of the Army, the
  Department of Defense or the U.S. Government. 

image http//www.leavenworth.army.mil/usdb/stand
ard20products/vtdefault.htm
3
information visualization is the use of
interactive, sensory representations, typically
visual, of abstract data to reinforce cognition.
http//en.wikipedia.org/wiki/Information_visualiza
tion
4
An Art Survey
A B C
http//www.clifford.at/cfun/progex/
http//www.muppetlabs.com/breadbox/bf/
http//www.geocities.com/h2lee/ascii/monalisa.html
http//www.artinvest2000.com/leonardo_gioconda.htm
5
Why InfoVis?
Views

• Patterns
• Anomalies
• Comparisons
• Outliers/Extremes
• Big Picture Details
• Interaction
• Large Datasets

Replies
6
TCP Dump
Packet Capture Visualizations
EtherApe
Ethereal
Tcpdump image http//www.bgnett.no/giva/pcap/tcp
dump.png TCPDump can be found at
http//www.tcpdump.org/ Ethereal image
http//www.linux-france.org/prj/edu/archinet/AMSI/
index/images/ethereal.gif Ethereal by Gerald
Combs can be found at http//www.ethereal.com/ Et
herApe image http//www.solaris4you.dk/sniffersS
S.html Etherape by Juan Toledo can be found at
http//etherape.sourceforge.net/
7
So What?

• Go Beyond the Algorithm
• Complement current systems
• Make CTF a Spectator Sport
• Enhance forensic analysis
• Mine large datasets
• Logs
• Monitor in real time
• Allow big picture, but details on demand
• Fingerprint attacks/tools (people?)
• Alerts (2-3 Million /day)
• Observe attacker behavior (example)

What tasks do you need help with?
8
Recon
Focused Attacks
Destination IP
Next Wave
Time
9
Classical InfoVis Research
10
InfoVis Mantra
Overview First Zoom and Filter Details on Demand
http//www.cs.umd.edu/ben/
11
Overview and Detail
Examples by Dr. John Stasko, see
www.cc.gatech.edu/classes/AY2002/
cs7450_spring/Talks/09-overdetail.ppt for more
details. Game shown is Civilization II
12
Focus and Context
Table Lens
Fisheye View
Examples by Dr. John Stasko, see
www.cc.gatech.edu/classes/AY2001/
cs7450_fall/Talks/8-focuscontext.ppt for more
details. Table lens (right) is from Xerox Parc
and Inxight
13
For more information

• Courses (free)
• Conferences
• Systems
• Research Groups
• Bookmarks on CD

14
Example Classical InfoVis Systems
15
example 1 - data mountain
http//www1.cs.columbia.edu/paley/spring03/assign
ments/HW3/gwc2001/mountain.jpg
16
example 2 - filmfinder
http//transcriptions.english.ucsb.edu/archive/col
loquia/Kirshenbaum/filmfinder.gif
17
example 3 - parallel coordinates
MPG
35
0
A. Inselberg and B. Dimsdale. Parallel
coordinates A tool for visualizing
multidimensional geometry. Proc. of Visualization
'90, p. 361-78, 1990.
http//davis.wpi.edu/xmdv/images/para.gif
18
example 4 -informative art
http//www.viktoria.se/fal/projects/infoart/
19
examples 5 - 72 (on CD)
Many, many untapped security applications
20
More InformationInformation Visualization

• Envisioning Information by Tufte
• The Visual Display of Quantitative Information by
  Tufte
• Visual Explanations by Tufte
• Beautiful Evidence by Tufte (due this year)
• Information Visualization by Spence
• Information Visualization Using Vision to Think
  by Card
• See also the Tufte road show, details at
  www.edwardtufte.com

images www.amazon.com
21
Representative Security Visualization Research
22
Soon Tee Teoh

• Routing Anomalies

http//graphics.cs.ucdavis.edu/steoh/
See also treemap basic research
http//www.cs.umd.edu/hcil/treemap-history/index.s
html
23
Secure Scope
http//www.securedecisions.com/main.htm
24
Starlight
http//starlight.pnl.gov/
25
Open Source Security Information Management
(OSSIM)
http//www.ossim.net/screenshots/metrics.jpg
26
TCP/IP SequenceNumber Generation

• Michal Zalewski

Linux 2.2 TCP/IP sequence numbers are not as good
as they might be, but are certainly adequate, and
attack feasibility is very low.
Linux 2.2 TCP/IP sequence numbers are not as good
as they might be, but are certainly adequate, and
attack feasibility is very low.
xn sn-2 - sn-3 yn
sn-1 - sn-2 zn sn - s n-1
xn sn-2 - sn-3 yn sn-1 - sn-2
zn sn - s n-1
Follow-up paper - http//lcamtuf.coredump.cx/newt
cp/
Initial paper - http//razor.bindview.com/publish
/papers/tcpseq/print.html
27
Wireless Visualization
http//www.ittc.ku.edu/wlan/images_all_small.shtml
28
Observing Intruder Behavior

• Dr. Rob Erbacher
• Visual Summarizing and Analysis Techniques for
  Intrusion Data
• Multi-Dimensional Data Visualization
• A Component-Based Event-Driven Interactive
  Visualization Software Architecture

http//otherland.cs.usu.edu/erbacher/
29
GlyphsDr. Rob Erbacher
http//otherland.cs.usu.edu/erbacher/
30
examples 9 - 45 (to be posted)
31
Hot Research Areas

• visualizing vulnerabilities
• visualizing IDS alarms (NIDS/HIDS)
• visualizing worm/virus propagation
• visualizing routing anamolies
• visualizing large volume computer network logs
• visual correlations of security events
• visualizing network traffic for security
• visualizing attacks in near-real-time
• security visualization at line speeds
• dynamic attack tree creation (graphic)
• forensic visualization

http//www.cs.fit.edu/pkc/vizdmsec04/
32
More Hot Research Areas

• feature selection and construction
• incremental/online learning
• noise in the data
• skewed data distribution
• distributed mining
• correlating multiple models
• efficient processing of large amounts of data
• correlating alerts
• signature and anomaly detection
• forensic analysis

http//www.cs.fit.edu/pkc/vizdmsec04/
33
Building a System
34
Visual IDS
35
System Architecture
Ethernet
tcpdump (pcap, snort) Perl Perl xmgrace (
gnuplot)
tcpdump capture files
winpcap VB VB VB
Packet Capture
Creativity
Parse
Process
Plot
36
rumint tool components (CD)
37
(No Transcript)
38
parallel port views
External Port Internal Port 65,535
65,535 0
0
External IP Internal
Port 255.255.255.255
65,535 0.0.0.0
0
External IP Internal
IP 255.255.255.255 255.255.255.255
0.0.0.0
0.0.0.0
39
External IP External Port
Internal Port
Internal IP 255.255.255.255
65,535 65,535
255.255.255.255 0
.0.0.0 0
0
0.0.0.0
Also a Port to IP to IP to Port View
40
sara 5.0.3 (port to port view)
Medium
Heavy
Light
41
Tool Fingerprinting (port to port view)
SuperScan 3.0 (XP)
nmap 3 UDP (RH8)
scanline 1.01 (XP)
nmap 3 (RH8)
NMapWin 3 (XP)
SuperScan 4.0 (XP)
nmap 3.5 (XP)
nikto 1.32 (XP)
42
time sequence data(external port vs. packet)
nmap win
superscan 3
ports
ports
packets
packets
Also internal/external IP and internal port
43
packet length and protocol type over time
packets
ports
length
44
30 days on the Georgia Tech honeynet
External IP Internal Port
External Port Internal Port
45
Demos

• rumint
• xmgrace
• treemap
• worm propagation
• survey x 2 .ppt
• links

46
classic infovis survey (on CD)
security infovis survey (www.cc.gatech.edu/conti)
perl/linux/xmgrace demo (on CD)
this talk (on CD www.cc.gatech.edu/conti)
rumint tool (on CD)
bookmarks (on CD)
47
Acknowledgements

• 404.se2600
• Clint
• Hendrick
• icer
• Rockit
• StricK
• Dr. John Stasko
• http//www.cc.gatech.edu/john.stasko/
• Dr. Wenke Lee
• http//www.cc.gatech.edu/wenke/
• Dr. John Levine
• http//www.eecs.usma.edu/
• Julian Grizzard
• http//www.ece.gatech.edu/

48

• Questions?

http//carcino.gen.nz/images/index.php/04980e0b/53
c55ca5